ansible-middleware#190: introduce custom fact: `ansible_local.keycloa…

…k.general.bootstrapped`
world-direct · Apr 19, 2024 · c5b7e48 · c5b7e48
1 parent 0c99f6d
commit c5b7e48
Show file tree

Hide file tree

Showing 9 changed files with 39 additions and 27 deletions.
diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md
@@ -131,7 +131,7 @@ Role Defaults
 |`keycloak_quarkus_start_dev`| Whether to start the service in development mode (start-dev) | `False` |
 |`keycloak_quarkus_transaction_xa_enabled`| Whether to use XA transactions | `True` |
 |`keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route`| If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies and we rely on the session affinity capabilities from reverse proxy | `True` |
-|`keycloak_quarkus_purge_admin_credentials_after_bootstrapping`| If `True`, purges the env variables corresponding to `keycloak_quarkus_admin_user[_pass]` after bootstrapping since they are no longer needed | `True` |
+
 
 Role Variables
 --------------
@@ -143,6 +143,15 @@ Role Variables
 |`keycloak_quarkus_admin_url`| Base URL for accessing the administration console, including scheme, host, port and path | `no` |
 
 
+Role custom facts
+-----------------
+
+The role uses the following [custom facts](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#adding-custom-facts) found in `/etc/ansible/facts.d/keycloak.fact` (and thus identified by the `ansible_local.keycloak.` prefix):
+
+| Variable | Description |
+|:---------|:------------|
+|`general.bootstrapped` | A custom fact indicating whether this role has been used for bootstrapping keycloak on the respective host before; set to `false` (e.g., when starting off with a new, empty database) ensures that the initial admin user as defined by `keycloak_quarkus_admin_user[_pass]` gets created |
+
 License
 -------
 

diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml
@@ -20,7 +20,6 @@ keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
 keycloak_quarkus_service_restart_always: false
 keycloak_quarkus_service_restart_on_failure: false
 keycloak_quarkus_service_restartsec: "10s"
-keycloak_quarkus_purge_admin_credentials_after_bootstrapping: true
 
 keycloak_quarkus_configure_firewalld: false
 keycloak_quarkus_configure_iptables: false
@@ -136,6 +135,3 @@ keycloak_quarkus_log_target: /var/log/keycloak
 keycloak_quarkus_log_max_file_size: 10M
 keycloak_quarkus_log_max_backup_index: 10
 keycloak_quarkus_log_file_suffix: '.yyyy-MM-dd.zip'
-
-### Internally used variables
-keycloak_quarkus_internal_bootstrapped: false
diff --git a/roles/keycloak_quarkus/handlers/main.yml b/roles/keycloak_quarkus/handlers/main.yml
@@ -4,7 +4,7 @@
   ansible.builtin.include_tasks: rebuild_config.yml
   listen: "rebuild keycloak config"
 - name: "Bootstrapped"
-  ansible.builtin.include_tasks: systemd.yml
+  ansible.builtin.include_tasks: bootstrapped.yml
   listen: bootstrapped
 - name: "Restart {{ keycloak.service_name }}"
   ansible.builtin.include_tasks: restart.yml

diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml
@@ -338,10 +338,6 @@ argument_specs:
                 description: >
                   If the route should be attached to cookies to reflect the node that owns a particular session. If false, route is not attached to cookies
                   and we rely on the session affinity capabilities from reverse proxy
-            keycloak_quarkus_purge_admin_credentials_after_bootstrapping:
-                default: true
-                type: "bool"
-                description: >
                   If `True`, purges the env variables corresponding to `keycloak_quarkus_admin_user[_pass]` after bootstrapping since they are no longer needed
     downstream:
         options:

diff --git a/roles/keycloak_quarkus/tasks/bootstrapped.yml b/roles/keycloak_quarkus/tasks/bootstrapped.yml
@@ -0,0 +1,15 @@
+---
+- name: Write ansible custom facts
+  become: true
+  ansible.builtin.template:
+    src: keycloak.fact.j2
+    dest: /etc/ansible/facts.d/keycloak.fact
+  vars:
+    bootstrapped: true
+
+- name: Re-read custom facts
+  ansible.builtin.setup:
+    filter: ansible_local
+
+- name: Ensure that `KEYCLOAK_ADMIN[_PASSWORD]` get purged
+  ansible.builtin.include_tasks: systemd.yml
diff --git a/roles/keycloak_quarkus/tasks/install.yml b/roles/keycloak_quarkus/tasks/install.yml
@@ -16,17 +16,6 @@
     path: "{{ keycloak.home }}"
   register: existing_deploy
 
-- name: "Check whether {{ keycloak.service_name }} has been bootstrapped"
-  become: true
-  ansible.builtin.command: grep -Fxq "{{ keycloak.bootstrap_mnemonic }}" "{{ keycloak_quarkus_sysconf_file }}"
-  register: keycloak_bootstrapped_mnemonic
-  changed_when: false
-  failed_when: false
-
-- name: "Initialize keycloak_quarkus_internal_bootstrapped"
-  ansible.builtin.set_fact:
-    keycloak_quarkus_internal_bootstrapped: "{{ keycloak_bootstrapped_mnemonic.rc == 0 }}"
-
 - name: "Create {{ keycloak.service_name }} service user/group"
   become: true
   ansible.builtin.user:
@@ -44,6 +33,13 @@
     group: "{{ keycloak.service_group }}"
     mode: '0750'
 
+- name: Create directory for ansible custom facts
+  become: true
+  ansible.builtin.file:
+    state: directory
+    recurse: true
+    path: /etc/ansible/facts.d
+
 ## check remote archive
 - name: Set download archive path
   ansible.builtin.set_fact:

diff --git a/roles/keycloak_quarkus/tasks/main.yml b/roles/keycloak_quarkus/tasks/main.yml
@@ -112,11 +112,9 @@
 
 - name: "Trigger bootstrapped notification: remove `keycloak_quarkus_admin_user[_pass]` env vars"
   when:
-    - keycloak_quarkus_purge_admin_credentials_after_bootstrapping
-    - not keycloak_quarkus_internal_bootstrapped             # it was not bootstrapped prior to the current role's execution
-    - keycloak_service_status.status.ActiveState == "active" # but it is now
-  ansible.builtin.set_fact:
-    keycloak_quarkus_internal_bootstrapped: true
+    - ansible_local.keycloak.general.bootstrapped | default(false) | bool == false # it was not bootstrapped prior to the current role's execution
+    - keycloak_service_status.status.ActiveState == "active"                       # but it is now
+  assert: { that: true, quiet: true }
   changed_when: true
   notify:
     - bootstrapped

diff --git a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
@@ -1,5 +1,5 @@
 {{ ansible_managed | comment }}
-{% if not keycloak_quarkus_purge_admin_credentials_after_bootstrapping or not keycloak_quarkus_internal_bootstrapped %}
+{% if ansible_local.keycloak.general.bootstrapped | default(false) | bool == False %}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
 {% else %}

diff --git a/roles/keycloak_quarkus/templates/keycloak.fact.j2 b/roles/keycloak_quarkus/templates/keycloak.fact.j2
@@ -0,0 +1,2 @@
+[general]
+bootstrapped={{ bootstrapped | lower }}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		[general]
		bootstrapped={{ bootstrapped \| lower }}